Thursday, 16 March 2006

Numerous tech media sites, including this one are touting "research" by some dutch group that claims RFID tags "are as susceptible to viruses as personal computers".

This is, of course, utter nonsense. Like any data-storage device it's possible to store viral code on an RFID tag. It's also theoretically possible to construct an RFID tag that might exploit a buffer overflow exploit in the software that reads the tag data. However, these things are all easy to avoid. The researchers had to actually build their own RFID-reading software with appropriate customised vulnerabilities because none of the commercially available stuff was susceptible to their attack technique.

Realistically RFID tags are no more a risk than smartcards, bar codes (especially the 2-dimensional high density ones) or even old-fashioned magnetic stripe credit cards: all of these technologies carry arbitrary data that is read and processed by software systems that could have vulnerabilities.

Scaremongering like this really unhelpful. Security issues are confusing enough for the mass of computer users without getting them worried about phantom scares. The problem (if there is one) is not RFID tags themselves, but sloppy coding which should be eliminated wherever it occurs.

Mind you, there are plenty of other reasons why ubiquitous RFID tags are a bad thing...